Testing 3rd Party JSON app with security issues

I was able to find the json docs and load them into SOATest. When I try to run a test script, I get authorization errors. I have set up and tried different HTTP Authentication types and it still gives me the 401 error. I've used Swagger to open the json docs and was finally able to get them to run after finding the little blue box to turn on for authentication. I'm using the same username and password in SOATest 9.10, using the same api. I've set the security to NTLM, as the response with the authentication error (in swagger) shows the www-authenticate using "Negotiate, NTLM". I've set global and parents and all the different security options I can find to NTLM, with the username and password that works in Swagger and I keep getting 401, Unauthorized.

Any ideas?

0

Comments

Make sure you know for certain what kind of authentication is required. If you are confident it is NTLM then you must configure the NTLM settings in the tests's HTTP Options tab under HTTP Authentication. If you need to specify a domain, prefix the username with the domain name and a backslash (as in DOMAIN\username). Otherwise, maybe you have a typo or the service isn't really using NTLM. Please also verify you are using SOAtest 9.9.4 or later which added full support for NTLMv2. Older versions of SOAtest only worked with NTLMv1 and some less secure NTLMv2 configurations.

I'm using SOATest 9.10. I can run the API in Swagger using the authoization switch and the curl shows --header "Authorization: Bearer .
In SOATest, I get the same 401: Unauthorized error if I use Basic or NTLM. I've been using the domain\userid format since this is on a different domain from our normal setup. I have Authentication set up on the parent Test Suite using NTLM and this seems to go away and I have to keep putting it back. I've set this also on the api I'm testing so it doesn't have to go back up to the parent level in case it doesn't stick after the save.

If I try running directly in a browser, I get a login pop up and after filling in the domain\userid and password, I get the 401 not authorized message. Swagger is encoding the userid and password and sending that in the curl after Authorization: Bearer. Didn't show up in my reply above.

Thanks for the feedback! Since we are dealing with OAuth, we will need to make a set-up call to retrieve the access token from your service. We can chain a databank to your set-up client to extract and store the required token in a variable. You could then parameterize the variable in the HTTP header field for your subsequent calls.

I've been trying to follow the steps in the 9.10 User guide under HTTP 1.0 and I'm getting very confused. Is there another doc that has more detail or a video of this?
Is this something that will need to be set up for each API or once it is working for one this can be used for all of them?

The steps required to implement OAuth2 is slightly easier and should be provided in the Userguide under "Using OAuth 2.0". Admittedly, the steps provided in the userguide don't go into much detail about implementation, but once you have the initial test set up to retrieve the token, the same token will work for the subsequent clients. Try following the steps provided under "Using OAuth 2.0" and let us know if there is any specific step you are having trouble with.

Got through the first step 'Request Authorization'. Since I am getting this from Swagger, the access_token and such are coming back in the HTTP Traffic from the Authorize step. Since it is the Traffic viewer, I'm going to have to capture the values using a different method than the Text Data Bank as I don't have a Request > Validate Header. The data is in the Response from Traffic. Not able to find the right tool to extract this data.

I got the text data bank set and now creating the REST Client. It is looking for the URL that has all the parameters. Do I need to merge the URL I used for the text bank with the Text Content of the Text Data Bank?
I added the output to the test script step where I do the Authorize in swagger as that is the step that has the token in the HTTP Traffic Viewer.
Steps I've taken
Add New Test > REST Client
Service Definition: None
Method: Fixed GET
URL: Fixed > ?????

The authorization code does not come back in any URL that I can put in the REST Client.
Here is the Traffic Viewer from the Text Data Bank

Here is the what I get in the Text Data Bank

I had to get the authorization code out of Swagger and it didn't give me back the redirected callback URL from the Service Provider. I can only see the token in the Traffic Viewer and would like a way to grab this and not cut and paste it into a data source. These codes expire and we need to send it the token and the refresh code and a couple of other pieces to be able to run the API's.

Hi All,
I tried the above steps to generate access token but i could not figure out why web browser playback was talked about. we are using OAuth 2.0 i have below data:
AuthURL/AccessTokenURL
client ID
ClientSecret
Scope
GrantType
payloadFormat: URL encoded

with above data can someone let me know how i can generate access token in SOATest ?? i could easily generate one in POSTMAN with above data.

Often times a web page is used to provide a login form to exchange a request token for a verification code. The docs have some explanation and examples for both OAuth 1 and OAuth 2. See Using OAuth Authentication.

payloadFormat: URL encoded

Look at the heading "Obtain access token" in the section of the docs I referenced above. To post URL Encoded payload you can simply use the REST Client. On the Resource tab, select POST in the Method box and the desired URL. On the Payload tab, select URL Encoded in the Payload Format box. Under Input Mode, select Table. This table will let you add any parameters you require.

Hi @benken_parasoft , I have followed your steps and i have passed the data as below
in Resource Tab, i have given URL and method as POST and did not pass any query parameter
in Payload Tab, i have selected
Payload Format : URL Encoded
Content Type : application/x-www-form-urlencoded
Input mode : Table and have passed client_id,client_secret,scope,grant_type along with their values.
in HTTP options : HTTP headers as Content-Type and its value- application/x-www-form-urlencoded.

I am getting blank response and in the error section i am seeing "OAuth parameters must either be 'scope' or start with 'oauth_'
"
Not where i am going wrong. Any clue?

You seem to be describing an error that came back in a response from your oauth service. You are probably sending the wrong parameters or misconfigured your URL Encoded payload in some way. It might be helpful to review what you are sending with SOAtest vs what your other clients are sending so you can identify what's different or misconfigured.

As a reference, section 4 of rfc6749 of the OAuth 2 spec describes the different kinds of token requests, which varies depending on the grant type. I'm not sure which of them you need offhand but I thought I'd point you here for reference: https://tools.ietf.org/html/rfc6749#section-4